[Asterisk-Dev] Security Issue in Asterisk with sip.conf configuration.

Rob Gagnon rob at networkip.net
Tue Apr 27 21:14:45 MST 2004


Have you tried using:

permit=
deny=

entries in the sip.conf file?
you can have as many of those as you need to create an ACL


----- Original Message ----- 
From: "William Zhang" <w_w_zhang at yahoo.com>
To: <asterisk-dev at lists.digium.com>
Sent: Tuesday, April 27, 2004 5:31 PM
Subject: [Asterisk-Dev] Security Issue in Asterisk with sip.conf
configuration.


> I had tried many ways with some advanced user help, but without
> success(at one point I thought I had it worked).
>
> Here Asterisk is working as a SIP PSTN Gateway, and in the sip.conf
> file, there are a lot of entries with just "host=a.b.c.d", thinking
> that * will only accept calls from host "a.b.c.d", but in my test, no
> mater how you set up the sip.conf entries, either * will NOT accept
> calls for that user account at all, or it will accept calls from any
> where without VERIFYING the source IP(whether it is "a.b.c.d" or not),
> so long the sip userid is the username in sip.conf. This post a very
> serious security problem.
>
> Of course we can put "secret=" for each entries, but giving Asterisk GW
> and SIP proxy are in 2 TRUSTED IPs, no Authentication is neccessary,
> otherwise it increase the SIP traffic quite a bit.
>
> Following are the 4 different entries that I had tried:
> #Notice that in the "general" section, context is pointed to a none
> existant context "INVALID".
>
> ;
> ; SIP Configuration for Asterisk
> ;
> [general]
> port = 5060                     ; Port to bind to
> bindaddr = 212.213.66.68
> context = INVALID               ;
> ;srvlookup = yes                ; Enable SRV lookups on outbound calls
> ;pedantic = yes                 ; Enable slow, pedantic checking for
> Pingtel
> ;tos=lowdelay
> ;tos=184
> ;maxexpirey=3600                ; Max length of incoming registration
> we allow
> ;defaultexpirey=120             ; Default length of incoming/outoing
> registration
> ;notifymimetype=text/plain      ; Allow overriding of mime type in
> NOTIFY
> ;videosupport=yes               ; Turn on support for SIP video
> disallow=all                    ; Disallow all codecs
> allow=ulaw                      ; Allow codecs in order of preference
> allow=g729
> allow=ilbc
> ;
> ;dtmfmode=info
> ;dtmfmode=inband
> dtmfmode=rfc2833
>
>
>
> [20034]
> type=friend
> callerid=TEST <61331045>
> host=212.213.65.66
> nat=yes                        ; This phone may be natted
> canreinvite=no
>
> [20035]
> type=peers
> callerid=TEST <61331045>
> host=212.213.65.66
> nat=yes                        ; This phone may be natted
> canreinvite=no
>
> [20036]
> type=friend
> context=default
> callerid=TEST <61331045>
> host=212.213.65.66
> permit=212.213.65.66
> nat=yes                        ; This phone may be natted
> canreinvite=no
>
> [20037]
> type=peers
> context=default
> callerid=TEST <61331045>
> permit=212.213.65.66
> nat=yes                        ; This phone may be natted
> canreinvite=no
>
> Thank you in advance.
>
> _______________________________________________
> Asterisk-Dev mailing list
> Asterisk-Dev at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-dev
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev
>




More information about the asterisk-dev mailing list